but no closing

From mark at kingant.net Wed Jul 14 04:18:24 2010 From: mark at kingant.net (Mark Doliner) Date: Wed, 14 Jul 2010 01:18:24 -0700 Subject: Remotely-triggerable crash in libpurple Message-ID: A security vulnerability has been discovered in libpurple. It is ONLY a remote crash (null pointer dereference), not a buffer overflow. In the past we have had CVE numbers issued for this. Josh, Jan or Tomas from Red Hat, if you guys agree with all of this, do you think one of you could handle issuing a CVE? Thanks! Affected software: All clients based on libpurple 2.7.0 and 2.7.1 (Pidgin 2.7.0, 2.7.1 and Finch 2.7.0, 2.7.1) Discovered by: Me! Public: no Embargo date: How does August 5th sound? That gives us one week to finish making string changes, one week for translators to translate, and one week for us to give you the 2.7.2 tarball and let you prepare packages in advance. Super Long Description of the Attached Patch: This patch attempts to fix four bugs in the oscar protocol plugin that were introduced with the X-Status code in Pidgin 2.7.0. Problem #1 (the remotely-triggerable crash): The crash happens when a buddy sets an xstatus message containing but no closing , or but no closing . The fix is to check the result of strstr(closing_tag_name) and do nothing if it is NULL. Problem #2: Fixes potential incorrect parsing of the xstatus string that could result in an incorrect message being displayed to the libpurple user. Happens if an xstatus message contains before , or before . The fix is to start looking for the closing tag at the end of the beginning tag rather than at the beginning of the xstatus xml. Probably not a security problem, but definitely a bug. Problem #3: Fixes potential incorrect parsing of the xstatus string that could result in the title not being shown to the libpurple user. Happens if the close title tag appears after the desc tag in the xstatus xml, because we add a null character at the beginning of the close title tag, so strstr() for the desc tag would stop searching there. Probably not a security problem, but definitely a bug. Problem #4: Fixes potential incorrect display of the xstatus string that could result in an incorrect message being displayed to the libpurple user. Happens because we reusing the 'xml' string when preparing the string for the user, but we copy values from xml to xml. If those values overlap with themselves or with each other then an incorrect value could be displayed. Probably not a security problem, but definitely a bug. The patch is against the latest code in our source repository, and I have not tested applying it to 2.7.0 or 2.7.1. I suspect it'll apply with no fuzz, possibly with an offset. If you run into any problems please let me know and I can try to help. --Mark -------------- next part -------------- A non-text attachment was scrubbed... Name: oscar_xstatus_remote_crash_fix_2.diff Type: text/x-patch Size: 4715 bytes Desc: not available URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20100714/ac880dd7/attachment.bin> From thoger at redhat.com Wed Jul 14 15:58:30 2010 From: thoger at redhat.com (Tomas Hoger) Date: Wed, 14 Jul 2010 21:58:30 +0200 Subject: Remotely-triggerable crash in libpurple In-Reply-To: <AANLkTin-3aXFwAOqkwEqTJ_u3egT1dS7UuKIvv9Rxn4B@mail.gmail.com> References: <AANLkTin-3aXFwAOqkwEqTJ_u3egT1dS7UuKIvv9Rxn4B@mail.gmail.com> Message-ID: <20100714215830.1acf5767@redhat.com> Hi Mark! On Wed, 14 Jul 2010 01:18:24 -0700 Mark Doliner wrote: > A security vulnerability has been discovered in libpurple. It is ONLY > a remote crash (null pointer dereference), not a buffer overflow. In > the past we have had CVE numbers issued for this. Josh, Jan or Tomas > from Red Hat, if you guys agree with all of this, do you think one of > you could handle issuing a CVE? Thanks! Similar problems were handled as security in the past, so I'm fine with assigning CVE that can be used in release notes / advisory. Please use CVE-2010-2528. -- Tomas Hoger / Red Hat Security Response Team From mark at kingant.net Fri Jul 16 15:09:02 2010 From: mark at kingant.net (Mark Doliner) Date: Fri, 16 Jul 2010 12:09:02 -0700 Subject: Remotely-triggerable crash in libpurple In-Reply-To: <4C409A72.9070702@archlinux.org> References: <AANLkTin-3aXFwAOqkwEqTJ_u3egT1dS7UuKIvv9Rxn4B@mail.gmail.com> <4C409A72.9070702@archlinux.org> Message-ID: <AANLkTimOCyu_uuqSmpnR1qnu1vKlcmsLdodth2C6ScLV@mail.gmail.com> (including the packagers list this time--sorry for the duplicate email Ionut) On Fri, Jul 16, 2010 at 10:44 AM, Ionut Biru <ibiru at archlinux.org> wrote: > On 07/14/2010 11:18 AM, Mark Doliner wrote: > >> >> The patch is against the latest code in our source repository, and I >> have not tested applying it to 2.7.0 or 2.7.1. ?I suspect it'll apply >> with no fuzz, possibly with an offset. ?If you run into any problems >> please let me know and I can try to help. >> > > the patch doesn't apply against 2.7.1. both hunks fail as the code was > changed a lot since 2.7.1 > > for the first hunk int num1,num2; -> guint16 num1, num2; and for second the > first line remove is an if in 2.7.1. > > should i try backport it or is not so critical and can wait until 2.7.2 is > released? Whoops, my bad. This bug is pretty easy for a remote hacker to trigger, so probably worth patching (after it's made public, of course) if you're not planning on shipping 2.7.2 immediately. I've backported the patch to 2.7.1 and attached it. I didn't try it against 2.7.0, but it might work. --Mark -------------- next part -------------- A non-text attachment was scrubbed... Name: oscar_xstatus_remote_crash_fix_2_for_pidgin_2.7.1.diff Type: text/x-diff Size: 3076 bytes Desc: not available URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20100716/2d4e1e7f/attachment.diff> From thoger at redhat.com Mon Jul 19 02:47:17 2010 From: thoger at redhat.com (Tomas Hoger) Date: Mon, 19 Jul 2010 08:47:17 +0200 Subject: Remotely-triggerable crash in libpurple In-Reply-To: <AANLkTin-3aXFwAOqkwEqTJ_u3egT1dS7UuKIvv9Rxn4B@mail.gmail.com> References: <AANLkTin-3aXFwAOqkwEqTJ_u3egT1dS7UuKIvv9Rxn4B@mail.gmail.com> Message-ID: <20100719084717.14a67494@redhat.com> Hi! On Wed, 14 Jul 2010 01:18:24 -0700 Mark Doliner wrote: > Public: no > Embargo date: How does August 5th sound? That gives us one week to > finish making string changes, one week for translators to translate, > and one week for us to give you the 2.7.2 tarball and let you prepare > packages in advance. We came across: https://bugs.gentoo.org/show_bug.cgi?id=328667 which seems to be based on: http://repos.archlinux.org/wsvn/packages/pidgin/?op=revision&rev=85620 So not really non-public any more. -- Tomas Hoger / Red Hat Security Response Team From elb at pidgin.im Mon Jul 19 11:38:28 2010 From: elb at pidgin.im (Ethan Blanton) Date: Mon, 19 Jul 2010 11:38:28 -0400 Subject: Remotely-triggerable crash in libpurple In-Reply-To: <20100719084717.14a67494@redhat.com> References: <AANLkTin-3aXFwAOqkwEqTJ_u3egT1dS7UuKIvv9Rxn4B@mail.gmail.com> <20100719084717.14a67494@redhat.com> Message-ID: <20100719153828.GB27736@colt> Tomas Hoger spake unto us the following wisdom: > Hi! > > On Wed, 14 Jul 2010 01:18:24 -0700 Mark Doliner wrote: > > > Public: no > > Embargo date: How does August 5th sound? That gives us one week to > > finish making string changes, one week for translators to translate, > > and one week for us to give you the 2.7.2 tarball and let you prepare > > packages in advance. > > We came across: > https://bugs.gentoo.org/show_bug.cgi?id=328667 > > which seems to be based on: > http://repos.archlinux.org/wsvn/packages/pidgin/?op=revision&rev=85620 > > So not really non-public any more. This is Not OK. I'm now taking suggestions on how to make sure packagers understand their responsibilities. :-P So ... maybe we should do a 2.7.2 with nothing but this patch; thoughts? Ethan -- The laws that forbid the carrying of arms are laws [that have no remedy for evils]. They disarm only those who are neither inclined nor determined to commit crimes. -- Cesare Beccaria, "On Crimes and Punishments", 1764 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 482 bytes Desc: Digital signature URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20100719/7dd50abe/attachment.pgp> From mark at kingant.net Tue Jul 20 01:06:51 2010 From: mark at kingant.net (Mark Doliner) Date: Mon, 19 Jul 2010 22:06:51 -0700 Subject: Remotely-triggerable crash in libpurple In-Reply-To: <20100719153828.GB27736@colt> References: <AANLkTin-3aXFwAOqkwEqTJ_u3egT1dS7UuKIvv9Rxn4B@mail.gmail.com> <20100719084717.14a67494@redhat.com> <20100719153828.GB27736@colt> Message-ID: <AANLkTinDIjf8NDImqbZ5cYAGOCAZ7j0FA1NAKmCKEfiZ@mail.gmail.com> On Mon, Jul 19, 2010 at 8:38 AM, Ethan Blanton <elb at pidgin.im> wrote: > Tomas Hoger spake unto us the following wisdom: >> Hi! >> >> On Wed, 14 Jul 2010 01:18:24 -0700 Mark Doliner wrote: >> >> > Public: no >> > Embargo date: How does August 5th sound? ?That gives us one week to >> > finish making string changes, one week for translators to translate, >> > and one week for us to give you the 2.7.2 tarball and let you prepare >> > packages in advance. >> >> We came across: >> ? https://bugs.gentoo.org/show_bug.cgi?id=328667 >> >> which seems to be based on: >> ? http://repos.archlinux.org/wsvn/packages/pidgin/?op=revision&rev=85620 >> >> So not really non-public any more. > > This is Not OK. ?I'm now taking suggestions on how to make sure > packagers understand their responsibilities. ?:-P > > So ... maybe we should do a 2.7.2 with nothing but this patch; > thoughts? Sigh. I think we should do a 2.7.2 now, with nothing but this patch. August 5th is quite far away for a public crash bug that's so easy to trigger. We could string freeze now and give translators a week... but that seems rushed, and doesn't give devs a chance to finish any string changes that they may have in mind. I'll start working on this now. Packagers: since this is already public, I guess you should feel free to apply this patch to your 2.7.1 packages and release to the world. Our 2.7.2 will contain ONLY this patch (and minor ChangeLog and NEWS updates)--so if you patch 2.7.1 then you can skip 2.7.2. And should we still do a normal release on August 5th? I could go either way, but I'm mildly in favor. --Mark From elb at pidgin.im Tue Jul 20 09:01:28 2010 From: elb at pidgin.im (Ethan Blanton) Date: Tue, 20 Jul 2010 09:01:28 -0400 Subject: Remotely-triggerable crash in libpurple In-Reply-To: <AANLkTinDIjf8NDImqbZ5cYAGOCAZ7j0FA1NAKmCKEfiZ@mail.gmail.com> References: <AANLkTin-3aXFwAOqkwEqTJ_u3egT1dS7UuKIvv9Rxn4B@mail.gmail.com> <20100719084717.14a67494@redhat.com> <20100719153828.GB27736@colt> <AANLkTinDIjf8NDImqbZ5cYAGOCAZ7j0FA1NAKmCKEfiZ@mail.gmail.com> Message-ID: <20100720130127.GA880@colt> Mark Doliner spake unto us the following wisdom: > I think we should do a 2.7.2 now, with nothing but this patch. August > 5th is quite far away for a public crash bug that's so easy to > trigger. We could string freeze now and give translators a week... > but that seems rushed, and doesn't give devs a chance to finish any > string changes that they may have in mind. Agreed. > And should we still do a normal release on August 5th? I could go > either way, but I'm mildly in favor. I also am mildly in favor. Ethan -- The laws that forbid the carrying of arms are laws [that have no remedy for evils]. They disarm only those who are neither inclined nor determined to commit crimes. -- Cesare Beccaria, "On Crimes and Punishments", 1764 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 482 bytes Desc: Digital signature URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20100720/83d54830/attachment.pgp> From mark at kingant.net Wed Jul 21 12:32:54 2010 From: mark at kingant.net (Mark Doliner) Date: Wed, 21 Jul 2010 09:32:54 -0700 Subject: Remotely-triggerable crash in libpurple In-Reply-To: <20100720130127.GA880@colt> References: <AANLkTin-3aXFwAOqkwEqTJ_u3egT1dS7UuKIvv9Rxn4B@mail.gmail.com> <20100719084717.14a67494@redhat.com> <20100719153828.GB27736@colt> <AANLkTinDIjf8NDImqbZ5cYAGOCAZ7j0FA1NAKmCKEfiZ@mail.gmail.com> <20100720130127.GA880@colt> Message-ID: <AANLkTilj4OEahA3c9AYJ5bYhz86hi20WoTY3F-nKa5MD@mail.gmail.com> On Tue, Jul 20, 2010 at 6:01 AM, Ethan Blanton <elb at pidgin.im> wrote: > Mark Doliner spake unto us the following wisdom: >> I think we should do a 2.7.2 now, with nothing but this patch. ?August >> 5th is quite far away for a public crash bug that's so easy to >> trigger. ?We could string freeze now and give translators a week... >> but that seems rushed, and doesn't give devs a chance to finish any >> string changes that they may have in mind. > > Agreed. 2.7.2 is released and contains this patch. You can get tarballs from: https://sourceforge.net/projects/pidgin/files/Pidgin/2.7.2/ Our info about the bug is here: http://pidgin.im/news/security/?id=47 --Mark